Security risks to an entity, such as a corporation, have become increasingly complex. Many threats to corporate information security, including those attributable to terrorism, organized crime, and/or individual hackers can be asymmetric, distributed, and/or networked, making cybersecurity risks more difficult to manage. Further, a corporation typically has one or more relationships (e.g., a customer/vendor relationship, a vendor/vendor relationship, a parent/subsidiary relationship, etc.) with other entities to provide and support services (e.g., software-as-a-service applications, etc.) for the corporation. Each of these relationships can impact a cybersecurity risk of the corporation (e.g., because the risk may be dependent upon not only the level of cybersecurity that the corporation has, but also on the level of cybersecurity that its relationship partners have). To manage and evaluate an impact of or vulnerability from a relationship, questionnaires (e.g., requests or inquires) are often exchanged between two entities. For example, a questionnaire may be used to determine another entity's compliance with an industry standard, evaluate the other entity's cybersecurity risk level, and determine an impact of the relationship on cybersecurity risk levels for each of the entities.
The exchange of questionnaires (e.g., inquires and/or requests) between two entities is often a time-consuming process. For example, questionnaires, such as a risk management questionnaire, generated and sent from a first entity (e.g., a sender) to a second entity (e.g., a responder) typically are in the form of a spreadsheet or the like. Such questionnaires are conventionally sent between entities via email. From the perspective of the responder, such questionnaires require a manual process of reviewing each question and inputting a response. The responder may receive multiple questionnaires from different entities that may have different file formats, different layouts, and different (yet overlapping) questions. As a result, the responder must give its undivided attention to an often repetitive process of responding to each questionnaire.
Additionally, providing supporting documents and/or evidence is cumbersome when the documents and/or evidence are sent as attachments to the questionnaire in an email. In some situations, communications involving the questionnaire and/or additional documents/evidence are unsecure. Further, providing comments or asking questions of the sender often occurs via email or phone such that feedback is not recorded in a responsive document itself.
From the perspective of the sender, it is difficult to track the questionnaires in different formats, some of which are returned with separate supporting documents and/or evidence, exacerbating the difficulty of also providing feedback and/or resolving discrepancies. Also, due to the time consuming nature of responding to and evaluating a questionnaire, responses to a completed/accepted questionnaire may become irrelevant and/or no longer accurate. In view of the foregoing, use of questionnaires to obtain information from another entity, such as a relationship partner, is a challenging endeavor for receiving reliable and timely information. Further, analysis of the information is also time consuming and tedious. Thus, it is often difficult to determine how a cybersecurity risk level of an entity and/or its relationship partner may be impacted or understood in view of the information.